OAuth re-auth for `claude agents` fails with ECONNREFUSED on `org:create_api_key` scope

Resolved 💬 4 comments Opened May 23, 2026 by redemerco Closed Jun 27, 2026

Describe the bug

When opening claude agents (the interactive TUI), the CLI launches an OAuth re-authorization flow requesting the org:create_api_key scope (which the standard /login flow does not include). After approving in the browser at claude.com/cai/oauth/authorize, the redirect lands on platform.claude.com/oauth/code/callback and returns a code#state string. When that code is pasted (or auto-consumed) back into the CLI, the UI shows:

Login
OAuth error: ECONNREFUSED

Press Enter to retry.
Esc to cancel.

Retrying loops back to the same error.

What I verified locally (so it's not the obvious things)

  • Network is fine — curl to claude.com, platform.claude.com, api.anthropic.com, claude.com/cai/oauth/authorize (→ 307), claude.com/cai/oauth/token (→ 405 on empty POST, i.e. endpoint is reachable) all succeed over IPv4 and IPv6.
  • No proxy env vars, no /etc/hosts overrides for claude/anthropic, no Little Snitch / LuLu running.
  • Standard /login works and refreshes the token, but the resulting token only carries the regular scopes (user:profile, user:inference, user:mcp_servers, user:sessions:claude_code, user:file_upload) — org:create_api_key is never granted.
  • Reproduces on both 2.1.148 and 2.1.150 with identical OAuth URL (same client_id, same code_challenge, only state differs across attempts) — so it's not a version regression in the binary.
  • Daemon IPC socket (/tmp/cc-daemon-501/<id>/control.sock) responds healthy to {"op":"ping"}.

This makes me think the failure is on the code→token exchange path for the extended scope, possibly server-side.

Repro

  1. Be already logged in with the standard /login (no org:create_api_key scope).
  2. Run claude agents.
  3. Approve in the browser when the URL pops up.
  4. Result: OAuth error: ECONNREFUSED.

Environment

  • Claude Code: 2.1.150 (also reproduces on 2.1.148)
  • OS: macOS Darwin 25.3.0 (arm64, M4)
  • Shell: zsh

Workaround

Existing background agents are unaffected — they can be listed with claude agents --json and resumed with claude --resume <sessionId>. Only the interactive claude agents TUI is blocked.

View original on GitHub ↗

This issue has 4 comments on GitHub. Read the full discussion on GitHub ↗